Phagocytes: A Holistic Defense and Protection Against Active P2P Worms

Active Peer-to-Peer (P2P) worms present serious threats to the global Internet by exploiting popular P2P applications to perform rapid topological self-propagation. Active P2P worms pose more deadly threats than normal scanning worms because they do not exhibit easily detectable anomalies, thus many existing defenses are no longer effective. We propose an immunity system with Phagocytes — a small subset of elected P2P hosts that are immune with high probability and specialized in finding and “eating” worms in the P2P overlay. The Phagocytes will monitor their managed P2P hosts’ connection patterns and traffic volume in an attempt to detect active P2P worm attacks. Once detected, local isolation, alert propagation and software patching will take place for containment. The Phagocytes further provide the access control and filtering mechanisms for communication establishment between the internal P2P overlay and the external hosts. We design a novel adaptive and interaction-based computational puzzle scheme at the Phagocytes to restrain external worms attacking the P2P overlay, without influencing legitimate hosts’ experiences significantly. We implement a prototype system, and evaluate its performance based on realistic massive-scale P2P network traces. The evaluation results illustrate that our Phagocytes are capable of achieving a total defense against active P2P worms.

💡 Research Summary

The paper addresses the emerging threat of active peer‑to‑peer (P2P) worms, which exploit popular P2P applications to spread rapidly by leveraging the overlay’s topology rather than random IP scanning. Because their traffic blends with legitimate P2P flows, traditional anomaly‑based detectors for scanning worms are ineffective. To counter this, the authors propose a holistic immunity system centered on a small, elected subset of P2P nodes called “Phagocytes.” Phagocytes are selected periodically based on high bandwidth, processing power, uptime, and up‑to‑date patches, giving them a high probability of being immune. Each Phagocyte manages a group of ordinary peers (managed hosts) and monitors their connection patterns and traffic volume.

Detection works by converting recent host activities into behavior sequences of operation‑payload pairs. Similarity between two sequences is computed using a weighted Levenshtein edit‑distance approach; if the similarity exceeds a threshold θd, the hosts are flagged as behaving alike, indicating possible infection. This detection is performed both within a Phagocyte’s managed set and among neighboring Phagocytes.

When infection is confirmed, a three‑stage response is triggered: (1) Local Isolation – the Phagocyte cuts off links to infected managed hosts and instructs them to sever connections to other peers; if the Phagocyte itself is compromised, neighboring Phagocytes command it to isolate from the Phagocyte network. (2) Alert Propagation – the infected Phagocyte broadcasts a worm alert to its neighbors; any Phagocyte that receives alerts from more than θa neighbors further propagates the alert, limiting false alarms and malicious alert storms. (3) Software Patching – patches are distributed periodically via the P2P overlay, and urgent patches are fetched directly over HTTP and pushed immediately to all managed hosts.

For external protection, the system hides peer IP addresses using a scalable distributed DNS (e.g., CoDoNS) and forces any external host wishing to join the overlay to solve an adaptive computational puzzle presented by the associated Phagocyte. Puzzle difficulty adapts to current load, ensuring legitimate users experience minimal latency while throttling malicious external worms.

The prototype was evaluated on realistic massive‑scale P2P traces. Results show that with Phagocytes constituting less than 5 % of the total nodes, the system blocks over 95 % of worm propagation while adding negligible overhead to normal traffic (average added latency ≈ 50 ms for puzzle solving).

Key contributions include: (i) integrating internal detection/containment with external access control in a single framework, (ii) a novel behavior‑sequence similarity metric tailored to P2P traffic, and (iii) demonstrating that a small, high‑trust subset can effectively safeguard a large, heterogeneous P2P network. Limitations noted are the reliance on trustworthy Phagocyte election (potential for manipulation), the need for lightweight puzzle schemes for resource‑constrained devices, and the recovery time if many Phagocytes become infected simultaneously. Future work may explore blockchain‑based election and more efficient puzzle designs for mobile P2P clients.